Eric:
I don' t think you' ve worked for a school board. I have 150 sites and thousands of employees who are daily accessing https sites. The whitelist would grow daily and would - given our limited resources - prove unmanageable.
In whitelisting them, your most reliable means is by ip rather then url, as the domain info on most certificates is invalid - even for legitimate sites. So you would add the ip addresses or ranges & create a whitelist group. Create a policy and allow https traffic to that whitelist group. Immediately below you would create a policy dropping all https traffic.
We are not getting any revenue to pay for maintaining this list and in fact are paying out yearly to our appliance provider to seamlessly & relatively effortlessly filter out the unwanted material.
Just my thoughts.
Victor